Give option to run bareos-client as UID/GID
Closed this issue · 12 comments
Hi,
I'm running yours image of bareos-client on synology.
By default Alpine package creates user bareos which id is 100 and gid is 101.
https://git.alpinelinux.org/aports/tree/community/bareos/bareos.pre-install
Unfortunately since DSM6 I think it's impossible to create user with such small ID... so I end up with permission denied on each new directory.
Maybe you could give an option for environment variables:
- BAREOS_UID_MAPPING: 5555, BAREOS_GID_MAPPING: 5555
and then just before installing apk add bareos invoke
addgroup -S bareos -g $BAREOS_GID_MAPPING 2>/dev/null
adduser -S -D -H -h /var/lib/bareos -s /sbin/nologin -G bareos -g bareos -u $BAREOS_UID_MAPPING bareos 2>/dev/null
This issue is present on the bareos user on debian using the :latest tag as well, results in uid:gid as 101:101 for me.
The UID and GID issue is only on linux hosts, as the windows tray bar has correct ACL on its host from installation.
Linuxserver provides setting the PUID and PGID as environmental variables in compose, this feature is present in their base images too, though they setup a lot of other basic services too. So to keep it minimal I have just added two lines in the clients docker-entrypoint.sh before we change required permissions using the usermod command.
#!/usr/bin/env bash
bareos_fd_config="/etc/bareos/bareos-fd.d/director/bareos-dir.conf"
usermod -u ${PUID} bareos
usermod -aG ${PGID} bareos
...
Now we can use these variables in our compose:
...
environment:
- PUID=1000
- PGID=1000
...
This is only tested on the ubuntu 19 client, but Alpine does not have usermod available on the base image, there are workarounds. So I might make the transition over to the adduser and addgroup solution proposed here that can be made into a PR for the latest Alpine and Ubuntu images.
i will try to find a better way to use customized uid/gid
i don't like so much both solutions (adduser & usermod)
What is the rational behind specifying the user specificly at all? Wouldn't is suffice to specify the bareos user via the USER command in the docker file? Reinventing this mechanism using env variables seems like a bad idea to me.
I don't think so. I think USER is used by operating system to run the process and not to define its owner.
I have just tried to force USER to "bareos" or something different than "root" but bareos-fd can't start !
bareos-fd_1 | standard_init_linux.go:211: exec user process caused "permission denied"
This is not a build command but a runtime one
Just to confirm, if you set USER bareos in the line before the CMD, and remove the -u bareos from the CMD, that does not work?
Yes, It's exactly what i tested and i got a permission denied
Also if USER is not set and -u bareos removed, bareos-fd start normaly with root permissions
That baffles me. I would expect for example a systemd service to start bareos directly under another user as well, in the same way that the USER directive from docker does it. However, if doesn't work, I'm sorry to have bothered.
maybe related to bareos-fd, located in /usr/sbin
i tested manualy inside bareos-client container, i'm able to launch bareos-fd with bareos user.
ok i understood, it's related to docker-entrypoint.sh script
ENTRYPOINT seems to be run with USER
i have to think about that a bit more :D
At this moment docker-entrypoint.sh needs to be run as root, at least to fix perm inside /etc/bareos/bareos-fd.d when people load files with wrong permissions
if we use USER variable with something else than root, docker-entrypoint will failed, also it could require to create a new user if it doesn't exist